Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-14980
Publication date:
10/10/2017
Buffer overflow in Sync Breeze Enterprise 10.0.28 allows remote attackers to have unspecified impact via a long username parameter to /login.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-5637
Publication date:
10/10/2017
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-13723
Publication date:
10/10/2017
In X.Org Server (aka xserver and xorg-server) before 1.19.4, a local attacker authenticated to the X server could overflow a global buffer, causing crashes of the X server or potentially other problems by injecting large or malformed XKB related atoms and accessing them via xkbcomp.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2025

CVE-2017-13721
Publication date:
10/10/2017
In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attacker authenticated to an X server with the X shared memory extension enabled can cause aborts of the X server or replace shared memory segments of other X clients in the same session.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2025

CVE-2017-14614
Publication date:
10/10/2017
Directory traversal vulnerability in the Visor GUI Console in GridGain before 1.7.16, 1.8.x before 1.8.12, 1.9.x before 1.9.7, and 8.x before 8.1.5 allows remote authenticated users to read arbitrary files on remote cluster nodes via a crafted path.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-14603
Publication date:
10/10/2017
In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2015-7842
Publication date:
10/10/2017
Huawei FusionServer rack servers RH2288 V3 with software before V100R003C00SPC603, RH2288H V3 with software before V100R003C00SPC503, XH628 V3 with software before V100R003C00SPC602, RH1288 V3 with software before V100R003C00SPC602, RH2288A V2 with software before V100R002C00SPC701, RH1288A V2 with software before V100R002C00SPC502, RH8100 V3 with software before V100R003C00SPC110, CH222 V3 with software before V100R001C00SPC161, CH220 V3 with software before V100R001C00SPC161, and CH121 V3 with software before V100R001C00SPC161 allow remote authenticated operators to change server information by leveraging failure to verify user permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2014-9474
Publication date:
10/10/2017
Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2014-0030
Publication date:
10/10/2017
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-14971
Publication date:
09/10/2017
Infocus Mondopad 2.2.08 is vulnerable to a Hashed Credential Disclosure vulnerability. The attacker provides a crafted Microsoft Office document containing a link that has a UNC pathname associated with an attacker-controller server. In one specific scenario, the attacker provides an Excel spreadsheet, and the attacker-controller server receives the victim's NetNTLMv2 hash.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-14973
Publication date:
09/10/2017
IDenticard Two-Reader Controller Configuration Manager 1.18.8 (396) is vulnerable to Stored Cross-Site Scripting (XSS) via the notes field in /~user_handler?file=logged_in.shtm (aka the edit user page).
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-15185
Publication date:
09/10/2017
plugins/ogg.c in Libmp3splt 0.9.2 calls the libvorbis vorbis_block_clear function with uninitialized data upon detection of invalid input, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025
Subscribe to Vulnerabilities